b'Office of\nInspector General\n\n               Protection of Credit Card Numbers\n\n                                             05-01\n\n\n\n\n                                 April 21, 2005\n\x0cFarm Credit Administration                              Office of Inspector General\n                                                        1501 Farm Credit Drive\n                                                        McLean, VA 22102-5090\n                                                        (703) 883-4030\n\n\n\n\n   June 2, 2005\n\n\n\n   The Honorable Nancy C. Pellet\n   Chairman of the Board and\n      Chief Executive Officer\n   Farm Credit Administration\n   1501 Farm Credit Drive\n   McLean, Virginia 22102\n\n   Dear Ms. Pellett:\n\n   The Office of the Inspector General has completed an inspection of Agency credit card security\n   controls. The objective of this inspection was to evaluate the controls over sensitive credit card\n   information generated by Bank of America for the Farm Credit Administration.\n\n   We interviewed FCA staff responsible for travel and purchase cards and account reconciliations.\n   We reviewed internal procedures for credit card programs and previous work performed by the\n   OIG. The inspection followed the President\xe2\x80\x99s Council on Integrity and Efficiency/Executive\n   Council on Integrity and Efficiency Quality Standards for Inspections.\n\n   We found that Bank of America was unresponsive to previous account maintenance requests by\n   the Agency\xe2\x80\x99s Official Point of Contact. Actions taken by FCA will improve present data security\n   conditions.\n\n   I would be pleased to meet with you and discuss the report at your convenience.\n\n   Respectfully,\n\n\n\n   Stephen G. Smith\n   Inspector General\n\n   Enclosure\n\x0c BACKGROUND\n\nThe Farm Credit Administration (FCA or Agency) is an independent Federal bank regulatory\nagency that employs approximately 280 employees. Almost all employees have government\ntravel credit cards. Additionally, 39 employees have credit cards for agency purchases.\n\nFCA uses the services of Bank of America (BOA) for travel cards, purchase cards, fleet cards,\nand convenience checks. FCA\xe2\x80\x99s arrangement for these credit card services is under a tag\nalong interagency agreement with the Department of Interior\xe2\x80\x99s (DOI) contract with BOA through\nthe U.S. General Services Administration (GSA). FCA\xe2\x80\x99s original arrangement with DOI/BOA\nwas for 6 years. In November 2004, FCA continued BOA services for another year, again under\nDOI\xe2\x80\x99s contract. This arrangement ends in November 2005.\n\nThe Office of Chief Financial Officer (OCFO) is responsible for travel card management for the\nagency, including issuing travel cards, closing those accounts, and reviewing travel account\nactivity. Further, OCFO performs the reconciliations of billing statements from the Bank of\nAmerica for purchase card accounts with FCA\xe2\x80\x99s financial management system. Within OCFO,\nthe Financial Operations Specialist is responsible for all travel card duties and responsibilities\nand the Designated Billing Officer (DBO) is responsible for reconciling the agency\xe2\x80\x99s purchase\ncard accounts.\n\nThe Office of Chief Administrative Officer (OCAO) is responsible for purchase card\nmanagement for the agency, including: issuing purchase cards, fleet cards and convenience\nchecks, closing purchase accounts, and reviewing purchase account activity. The Agency\xe2\x80\x99s\nOfficial Point of Contact (AOPC) is responsible for the maintenance of all purchase and fleet\ncredit card accounts.\n\nBOA provides an online system called EAGLS for account management. Designated officials\nfrom agencies can obtain up-to-date account information, manage administrative issues\nconcerning accounts and run reports on account holders, merchants, or offices for internal\ncontrols or analysis.\n\n\n SCOPE AND OBJECTIVE\n\nThe objective of this inspection was to evaluate the controls over sensitive credit card\ninformation generated by Bank of America for FCA.            The inspection was limited to\ncommunications between FCA and Bank of America, we also spoke with staff from the Farm\nCredit System Insurance Corporation (FCSIC) since FCSIC had erroneously received FCA\ncredit card information. Specifically, we evaluated the controls for safeguarding agency and\nemployee credit card information.\n\nFieldwork began in December 2004 after an entrance conference was held on December 2nd.\nWe performed the following: interviewed FCA staff responsible for travel cards, purchase cards\nand account reconciliations; reviewed internal procedures for credit card programs; reviewed\nprevious work performed by the OIG; interviewed BOA staff; reviewed BOA documentation sent\nto FCA and the documentation available on-line through EAGLS. The inspection was\ncompleted in accordance with the PCIE/ECIE Quality Standards for Inspections.\n\n\n\n\nFarm Credit Administration \xc2\x8d Office of Inspector General                                         1\n\x0c FINDINGS AND RECOMMENDATIONS\n\nBOA Is Unresponsive to Agency Service Requests\nBOA\xe2\x80\x99s poor customer service has hindered FCA\xe2\x80\x99s ability to properly manage credit card\naccounts. Our review found that the difficulty in getting BOA to fulfill customer service requests\nhas led to improper mailings of sensitive information and incorrect account information.\n\nBOA Sent Sensitive Credit Card Information to Unauthorized Parties\nOn multiple occasions, the Farm Credit System Insurance Corporation (FCSIC) received mail\nfrom BOA that included raw data reports containing detailed credit card information for FCA\nemployees. On one occasion, FCSIC received similar detailed raw data for the Commodity\nFutures Trading Commission (CFTC). BOA sent these reports to the attention of FCA\xe2\x80\x99s former\nAOPC who left the agency in August 2000.\n\nThe raw data reports encompass all agency credit card accounts (both open and closed). The\nreports included name, address (home address and social security numbers for travel cards),\naccount number, and credit limit. According to BOA, a BOA contractor generates and mails the\nreports through a computerized system. Because there is no manual oversight, BOA cannot\ndetect mailing errors. BOA indicated that FCSIC was in BOA\xe2\x80\x99s records as being under FCA\xe2\x80\x99s\nhierarchy. BOA also had the former FCA employee (who separated from FCA in 2000) as the\npoint of contact for both FCA and FCSIC. BOA explained that since both entities had the same\npoint of contact and the same address, both agencies\xe2\x80\x99 reports were put in the same envelope.\nWhile this explanation appears reasonable, we found the raw data reports are not consistently\nmailed together. It also does not explain why FCSIC received the CFTC report.\n\nThe raw data reports are difficult to read and extract useful information. This same information\nin a more useful format can be self-generated through the online system or obtained from the\nbilling statements received by FCA. After discussing our observation with FCA managers and\nresponsible staff, FCA directed BOA to stop sending the raw data reports.\n\nPoor Customer Service Makes Account Management Difficult\nFCA must continually work with BOA personnel to maintain the accuracy of agency account\ninformation. FCA\xe2\x80\x99s AOPC and FCSIC personnel stated that obtaining assistance from BOA is\ntime consuming and follow up is required because there is a lack of confidence that changes will\nbe made by BOA. We were informed of repeated instances where BOA was not responsive to\nagency requests for assistance. FCA and FSCIS staff gave the following examples:\n\n    \xe2\x80\xa2   As noted earlier, BOA had FCA\xe2\x80\x99s and FCSIC\xe2\x80\x99s official agency point of contact as an\n        employee who left FCA almost 5 years ago, although personnel from both agencies\n        stated that they had repeatedly requested that BOA change the point of contact. BOA\n        finally changed the point of contact on February 10, 2005 after the OIG and the AOPC\n        contacted BOA directly. However, BOA put the former point of contact as the backup for\n        FCA, although BOA was informed that he was no longer with the Agency.\n    \xe2\x80\xa2   FCSIC severed all financial services with FCA in January 2002, and all services with\n        BOA in September 2004. However, according to current BOA records, FCSIC is still\n        under FCA\xe2\x80\x99s hierarchy.\n\n\n\nFarm Credit Administration \xc2\x8d Office of Inspector General                                         2\n\x0c    \xe2\x80\xa2   The AOPC informed the OIG that he experiences poor customer service from BOA in\n        responding to requests for changes, updates or assistance with EAGLS applications and\n        account maintenance. He noted requests to BOA are frequently time consuming and\n        cumbersome. Specific examples included:\n        \xc2\x83    BOA\xe2\x80\x99s ordering process for convenience checks is flawed and requires personal\n             follow-up by FCA because the ordering forms are inaccurate. FCA has spent a large\n             amount of staff resources over an extended period attempting to remedy the problem\n             with BOA.\n        \xc2\x83    BOA provided inaccurate directions for resolving problems encountered with EAGLS\n             and requests for changes.\n        \xc2\x83    The EAGLS system does not always retain changes made by FCA employees\n             online. A recent incident showed that although FCA \xe2\x80\x9csubmitted\xe2\x80\x9d a hierarchy change,\n             the information reverted back to the original data.\n\nSimilarly, the OIG documented several instances where BOA was not responsive:\n        \xc2\x83    Accounts that were closed by FCA personnel through EAGLS as long as six years\n             ago, still appear in the EAGLS database and have not been purged. The BOA\n             representative assigned to FCA stated that closed accounts are purged after being\n             closed for 3 years.\n        \xc2\x83    BOA did not have a backup representative at the beginning of the fieldwork. The\n             BOA representative for FCA was out of the office for an extended period of time and\n             some areas of fieldwork were delayed until she returned. At the end of the fieldwork,\n             the BOA representative offered another BOA employee to assist the OIG, but when\n             an attempt was made to contact that employee, he was out of the office for an\n             extended period.\n\nBOA\xe2\x80\x99s unresponsiveness results in inefficiencies, inaccuracies, and contributed to the improper\nmailing of sensitive account information.\n\nAgreed Upon Action\n\n1. FCA will review available options for credit card services and, to the greatest extent\n   possible, require performance metrics in any new agreement with a credit card provider.\n\nFCA Can Take Actions to Mitigate Risks of Sensitive Information Being Exposed\nAccount Information Should Be Kept Current\nFCA should ensure that account information for all credit cards are kept up-to-date and that\nclosed accounts that contain personal information are purged as soon as practical. The EAGLS\nsystem contains outdated, erroneous, or missing information about cardholders\xe2\x80\x99 offices or\ndivisions. With the recent changes to EAGLS, FCA can correct much of this information online.\nThe AOPC stated that he has nearly completed the updating of the hierarchy designations for\npurchase accounts since he is now able to do this online.\n\nWe found a large number of closed accounts in the EAGLS online database, some that were\nclosed as long as 6 years ago. There were 210 closed FCA travel accounts and 26 closed\npurchase accounts in the EAGLS system. The closed travel accounts have former employees\xe2\x80\x99\npersonal addresses and social security numbers. We also found six FCSIC employees are\n\n\n\nFarm Credit Administration \xc2\x8d Office of Inspector General                                         3\n\x0clisted under the FCA hierarchy with open travel card accounts. These accounts should not be\nunder FCA, and should have been closed since FCSIC stopped using BOA services this past\nfall. During the inspection fieldwork, the Financial Operations Specialist closed these accounts.\nAllowing an individual\xe2\x80\x99s personal information to be maintained in an online database when the\naccounts are no longer needed creates an unnecessary risk to former cardholders\xe2\x80\x99 personal\ninformation. All closed accounts should have the cardholder\xe2\x80\x99s personal information immediately\nremoved from the EAGLS online system and the account purged after a reasonable period of\ntime.\n\nAgreed Upon Actions\n2. Management will establish an ongoing process that ensures:\n     a. Cardholder account information is routinely and accurately updated, and\n     b. Personal information is immediately removed from closed accounts and they are\n        purged from the EAGLS online database after a reasonable period of time.\n\nAlternative Processes for Distribution of Sensitive Information Should Be Considered\nOCAO and OCFO both maintain hardcopies of individual account information related to their\noffice\xe2\x80\x99s responsibilities. Both offices ensure that the hardcopies are secured in locked cabinets\nor shredded. However, OCFO provides copies of individual travel billing statements to\napproving officials for review. Distribution of these billing statements poses a risk since they are\nsent through inner office mail in unsealed envelopes.\n\nSecurity could be improved by providing the information to approving officials in electronic\nformat; however, EAGLS does not provide these statements online for electronic distribution.\nFCA could create reports for approving officials by using BOA software to download the\ninformation. This would also reduce FCA\xe2\x80\x99s costs since FCA pays a fee for the hardcopies of the\ntravel billing statements.\n\nAnother alternative would be for FCA to consider the availability of online billing statements\nwhen considering other companies for credit card services as recommended earlier in this\nreport.\n\nAgreed Upon Action\n\n3. FCA will improve control over sensitive information by using secure methods for\n   disseminating any sensitive information.\n\n\n\n\nFarm Credit Administration \xc2\x8d Office of Inspector General                                           4\n\x0c'